Arrangements, Methods, and Software for Managing Objects and Resolving Different Types of Events Associated with Such Objects

ABSTRACT

An arrangement for resolving different types of events includes a central system communicatively coupled to each of a plurality of lower level systems. The central system is configured to receive information associated with a particular event from one of the plurality of lower level systems, to determine an event type associated with the particular event, and to determine whether the central system includes a particular policy associated with resolving the event type associated with the particular event. When the central system includes the particular policy, the central system is further configured to resolve the particular event in accordance with the particular policy. Moreover, when the central system does not include the particular policy the central system is further configured to request information associated with the particular policy, to receive the information associated with the particular policy, to resolve the particular event in accordance with the particular policy, to store the particular policy in a database, and to resolve future events that are of the event type associated with the particular type of event in accordance with the particular policy.

The present invention claims priority from U.S. Provisional PatentApplication Ser. No. 60/744,256, which is entitled “Arrangements,Methods, and Software for Managing Objects and Resolving Different Typesof Events Associated with such Objects,” and was filed on Apr. 4, 2006,the disclosure of which is incorporated herein by reference in itsentirety.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention is related generally to arrangements, methods, andsoftware for managing objects and for resolving different types ofevents associated with such objects. In particular, the presentinvention is directed towards arrangements, methods, and software inwhich in a central system is configured to resolve different types ofevents in accordance with predetermined policies, and to dynamicallyreceive new policies and/or update existing policies.

2. Description of Related Art

Information technology plays a substantial role in managing operationaland business risks, and in ensuring that organizational assets areprotected and compliance with pertinent regulations may be satisfiedwhile ensuring continuity of on-going information technology operationsthat support the organization. Information technology organizations areunder substantial pressure to more effectively manage informationtechnology operational and capital costs. While managing costs,information technology organizations also are being asked to increasethe level of service being delivered to the business and to respondquickly to business change, often times with no additional budget.Moreover, information technology needs to add value to the business tohelp fuel corporate growth by aligning investments in a manner thatsupports new business incentives and ensures that the business's mostcritical processes are working effectively and efficiently.Nevertheless, a substantial portion of the information technologyorganizations today spend upwards of 70% of their total budgetmaintaining the day-to-day operations of the business, whichsubstantially reduces the information technology organization'sopportunity to proactively anticipate business needs or to innovate.

To succeed in today's business environment, businesses need to offerservices that are comparable or better than their competition. Banks,retail stores, and even utility companies need to provide fast servicein their stores and on their web sites. If their services are slow orunavailable, customers will quickly look for alternatives. Theoperations staff needs to ensure that the business services areavailable and are providing acceptable performances. To meet theseobjectives, tools are installed to monitor the health of the informationtechnology environment and processes are defined to assist in resolvingproblems that arise. Examples of the types of tools that may beinstalled include agents to monitor operating systems, business criticalapplications such as SAP (systems, applications, processes), PeopleSoft,and Seibel, tools to prevent intruders from gaining access to thebusiness environment and sensitive information that could compromise thesecurity or the reputation of the business, trouble ticking systems toassist with problem notification and problem management, assetmanagement tools to provide important information about devices thatowned, and the like.

Generally, agents, tools, and processes are implemented in a disparatemanner over several years, and create several challenges for operationsmanagers. For example, software agents and devices generate a largenumber of trivial and non-trivial events. These events are transmittedto several different consoles depending on the type of device, thesoftware agent, or the device location. This requires the staff tomonitor multiple consoles and to manually filter the critical eventsfrom the trivial events. Manual processes may be time consuming andprone to error. Moreover, events may be transmitted from non-managedsources and may create extra work for the operations staff, e.g., theoperation staff may need to determine the source and the location of theevent. In addition, there is no correlation to understand how incomingevents may be related, and there is not a system that allows forreporting with respect to these events on a regular basis. This preventsthe operations staff from proactively managing the environment andidentifying and resolving potential problems before they occur. Thecombination of the above-described information technology issues causesthe operations staff to be ineffective and slow to identify and resolveproblems that directly affect the business, and requires additionalstaff members to monitor and mange the environment.

SUMMARY OF THE INVENTION

Therefore, a need has arisen for arrangements, methods, and softwarethat overcome these and other problems associated with the related art.The present invention presents a new approach for managing informationtechnology. The present invention is service oriented in it's approachto flexibly manage across the entire business and at the same timeprovides the agility to manage from the information technologyinfrastructure level up to the business process. The present inventionenables information technology organizations to overcome thefragmentation and complexity challenges associated with managinginformation technology, and provides a model for unifying andsimplifying the management of information technology in order to realizethe full potential of information technology. For example, the presentinvention may provide a layer of abstraction for business informationtechnology that is service driven and overcomes complexity issues,thereby allowing information technology infrastructure to be tied tobusiness processes. The present invention also may integrate informationtechnology management with a consistent approach across securitysystems, storage systems, node or server systems, network systems,application systems, and the like, and supports open standards andconnectivity. Moreover, the present invention may provide avendor-neutral, independent approach to information technologymanagement.

According to an embodiment of the present invention, an arrangement forresolving different types of events comprises a central systemcommunicatively coupled to each of a plurality of lower level systems.The central system is configured to receive information associated witha particular event from one of the plurality of lower level systems, todetermine an event type associated with the particular event, and todetermine whether the central system comprises a particular policyassociated with resolving the event type associated with the particularevent. When the central system comprises the particular policy, thecentral system is further configured to resolve the particular event inaccordance with the particular policy. Moreover, when the central systemdoes not comprise the particular policy the central system is furtherconfigured to request information associated with the particular policy,to receive the information associated with the particular policy, toresolve the particular event in accordance with the particular policy,to store the particular policy in a database, and to resolve futureevents that are of the event type associated with the particular type ofevent in accordance with the particular policy.

According to another embodiment of the present invention, a method forresolving different types of events, in which a central system iscommunicatively coupled to each of a plurality of lower level systems,comprises the steps of receiving information associated with aparticular event from one of the plurality of lower level systems, anddetermining an event type associated with the particular event. Themethod also comprises the steps of determining whether the centralsystem comprises a particular policy associated with resolving the eventtype associated with the particular event, and when the central systemcomprises the particular policy, resolving the particular event inaccordance with the particular policy. Nevertheless, when the centralsystem does not comprise the particular policy, the method comprises thesteps of requesting information associated with the particular policy,receiving the information associated with the particular policy,resolving the particular event in accordance with the particular policy,storing the particular policy in a database, and resolving future eventsthat are of the event type associated with the particular type of eventin accordance with the particular policy.

According to yet another embodiment of the present invention, a softwarearrangement which, when executed by a processing arrangement associatedwith a central system communicatively coupled to each of a plurality oflower level systems, is configured to perform the steps of receivinginformation associated with a particular event from one of the pluralityof lower level systems, and determining an event type associated withthe particular event. The software arrangement also is configured toperform the steps of determining whether the central system comprises aparticular policy associated with resolving the event type associatedwith the particular event, and when the central system comprises theparticular policy, resolving the particular event in accordance with theparticular policy. Nevertheless, when the central system does notcomprise the particular policy, the software arrangement is configuredto perform the steps of requesting information associated with theparticular policy, receiving the information associated with theparticular policy, resolving the particular event in accordance with theparticular policy, storing the particular policy in a database, andresolving future events that are of the event type associated with theparticular type of event in accordance with the particular policy.

According to still another embodiment of the present invention, anarrangement for managing objects and for resolving different types ofevents associated with the objects comprises an operations managementsystem. The operations management system is configured to select aparticular object to be managed by the arrangement, to determine anobject type associated with the particular object, and to associate anevent selection policy with the particular object based at least on theobject type associated with the particular object, in which the eventselection policy indicates at least one event type that is associatedwith the particular object. The operations management system also isconfigured to selectively associate an agent with the particular object,in which the agent is associated with one of a plurality of lower levelsystems. The arrangement also comprises a central system communicativelycoupled to the operations management system and to each of the pluralityof lower level systems. The central system is configured to receiveinformation associated with a particular event from one of the pluralityof lower level systems, in which the particular event originates fromthe particular object, and to determine an event type associated withthe particular event. The central system also is configured to determinewhether the central system comprises a particular policy associated withresolving the event type associated with the particular event. Moreover,when the central system comprises the particular policy the centralsystem is further configured to resolve the particular event inaccordance with the particular policy. Nevertheless, when the centralsystem does not comprise the particular policy the central system isfurther configured to request information associated with the particularpolicy, to receive the information associated with the particularpolicy, to resolve the particular event in accordance with theparticular policy, to store the particular policy in a database, and toresolve future events that are of the event type associated with theparticular type of event in accordance with the particular policy.

According to still yet another embodiment of the present invention, amethod for managing objects and for resolving different types of eventsassociated with the objects, in which a central system iscommunicatively coupled to an operations managing system and each of aplurality of lower level systems, comprises the steps of selecting aparticular object to be managed by the arrangement, and determining anobject type associated with the particular object. The method alsocomprises the steps of associating an event selection policy with theparticular object based at least on the object type associated with theparticular object, in which the event selection policy indicates atleast one event type that is associated with the particular object, andselectively associating an agent with the particular object, in whichthe agent is associated with one of a plurality of lower level systems.The method further comprises the steps of receiving informationassociated with a particular event from one of the plurality of lowerlevel systems, in which the particular event originates from theparticular object, an determining an event type associated with theparticular event. The method further comprises the step of determiningwhether the central system comprises a particular policy associated withresolving the event type associated with the particular event. When thecentral system comprises the particular policy, the method alsocomprises the step of resolving the particular event in accordance withthe particular policy. Nevertheless, when the central system does notcomprise the particular policy, the method further comprises the stepsof requesting information associated with the particular policy,receiving the information associated with the particular policy,resolving the particular event in accordance with the particular policy,storing the particular policy in a database, and resolving future eventsthat are of the event type associated with the particular type of eventin accordance with the particular policy.

Other features and technical advantages of the present invention will beapparent to persons of ordinary skill in the art in view of thefollowing detailed description of the invention and the accompanyingdrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention, the needssatisfied thereby, and the features and technical advantages thereof,reference now is made to the following descriptions taken in connectionwith the accompanying drawings.

FIG. 1 is a schematic of an arrangement for resolving different types ofevents, according to an embodiment of the present invention.

FIG. 2 is a flow chart of a method for resolving different types ofevents, according to an embodiment of the present invention.

FIG. 3 is a schematic of an arrangement for managing objects and forresolving different types of events associated with the objects,according to an embodiment of the present invention.

FIG. 4 is flow chart of a method for managing objects and for resolvingdifferent types of events associated with the objects, according to anembodiment of the present invention.

FIGS. 5 a and 5 b are flow charts of a method for managing objects,according to an embodiment of the present invention.

FIGS. 6 a and 6 b are flow charts of a method for managing objects, inwhich the embodiment of the present invention depicted in FIGS. 5 a and5 b are modified.

FIGS. 7 a and 7 b are flow charts of a method for managing objects, inwhich the embodiment of the present invention depicted in FIGS. 6 a and6 b are modified.

FIGS. 8 a and 8 b are flow charts of a method for managing objects, inwhich the embodiment of the present invention depicted in FIGS. 7 a and7 b are modified.

FIG. 9 is a flow chart of a method for resolving different types ofevents, according to an embodiment of the present invention.

FIG. 10 is a flow chart of a method for resolving different types ofevents, in which the embodiment of the present invention depicted inFIG. 9 is modified.

FIG. 11 is a flow chart of a method for resolving different types ofevents, in which the embodiment of the present invention depicted inFIG. 10 is modified.

FIG. 12 is a flow chart of a method for resolving different types ofevents, in which the embodiment of the present invention depicted inFIG. 11 is modified.

FIG. 13 is a flow chart of a method for reporting data associated withmanaged objects and events associated with such managed objects,according to an embodiment of the present invention.

FIG. 14 is a flow chart of a method for reporting data associated withmanaged objects and events associated with such managed objects, inwhich the embodiment of the present invention depicted in FIG. 13 ismodified.

FIG. 15 is a flow chart of a method for reporting data associated withmanaged objects and events associated with such managed objects, inwhich the embodiment of the present invention depicted in FIG. 14 ismodified.

FIG. 16 is a flow chart of a method for reporting data associated withmanaged objects and events associated with such managed objects, inwhich the embodiment of the present invention depicted in FIG. 15 ismodified.

DETAILED DESCRIPTION OF EMBODIMENTS

Embodiments of the present invention and their features and technicaladvantages may be understood by referring to FIGS. 1-16, like numeralsbeing used for like corresponding parts in the various drawings.

Referring to FIG. 1, an arrangement 100 for resolving different types ofevents, according to an embodiment of the present invention, isdepicted. Arrangement 100 may comprise a central system 108 and aplurality of lower level systems 102, e.g., a first lower level system104 and a second lower level system 106, communicatively coupled tocentral system 108. For example, each of lower level systems 102 may bea security system, a network system, a storage system, a node or serversystem, an application system, or the like. Moreover, those of ordinaryskill in the art readily will understand that lower level systems 102may comprise any number of lower level systems. Central system 108 maycomprise a filter and consolidation program 110, an event database 112,an event type determination program 114, an event policy manager 116,and an event policy database 118.

Referring to FIG. 2, a method 200 for resolving different types ofevents using arrangement 100, according to an embodiment of the presentinvention, is depicted. In step 210, method 200 begins, and in step 220,central system 108 receives information associated with a particularevent from one of lower level systems 102. For example, the particularevent may be a security event, a network event, a storage event, a nodeor server event, an application event, or the like. In one embodiment ofthe present invention, the particular event may have a status associatedtherewith, e.g., may have a critical status or a non-critical status,such as a warning status, an informational status, or the like, andfilter and consolidation program 110 may consolidate repetitive events,filter and store information associated events that are non-criticalevents in event database 112, and transmit information associated withcritical events to event type determination program 114. In step 230,event type determination program 114 determines the event typeassociated with the particular event. For example, event typedetermination program 114 may determine the event type based on which oflower level systems 102 transmitted the information associated with theparticular event to central system 108, e., an event transmitted from asecurity system may be a security event type, an event transmitted froma network system may be a network event type, an event transmitted froma storage system may be a storage event type, an event transmitted froma node or server system may be a node or server event type, and an eventtransmitted from an application system may be an application event type.

In step 240 event policy manager 116 determines whether central system108 comprises a particular policy associated with resolving the eventtype associated with the particular event, e.g., by accessing eventpolicy database 118. If central system 108 comprises the particularpolicy, then in step 250 central system 108 resolves the particularevent in accordance with the particular policy. For example, under theparticular policy, central system 108 may forward information associatedwith the particular event to an operations manager system (not shown),such that an operation manager may review the information associatedwith the particular event, determine what service is affected by theparticular event, create a help desk ticket associated with theparticular event, and forward the information associated with theparticular event (and other information if appropriate) to anappropriate incident manager in charge of resolving the particularevent. Method 200 then may proceed to step 295 and the particular eventmay be cleared. If, however, in step 240 event policy manager 116determines that central system 108 does not comprise the particularpolicy, then in step 260, central system 108 requests the particularpolicy, e.g., from the operations manager system. In step 270 centralsystem 108 receives the particular policy, and step 280, central system108 resolves the particular event in accordance with the particularpolicy. For example, under the particular policy, central system 108 mayforward information associated with the particular event to theoperations manager system, such that the operation manager may reviewthe information associated with the particular event, determine whatservice is affected by the particular event, create a help desk ticketassociated with the particular event, and forward the informationassociated with the particular event (and other information ifappropriate) to an appropriate incident manager in charge of resolvingthe particular event. In step 290, central system 108 stores theparticular policy in event policy database 118, such that the next timean event that is of the event type associated with the particular typeof event occurs, central system 108 will comprise the particular policy,and will not have to request the particular policy. Method 200 then mayproceed to step 295 and the particular event may be cleared.

Referring to FIG. 3, an arrangement 300 for resolving different types ofevents, according to another embodiment of the present invention, isdepicted. Arrangement 300 may comprise a central system 308, anoperations manager system 326, and a plurality of lower level systems302, e.g., a first lower level system 304 and a second lower levelsystem 306, communicatively coupled to central system 308. For example,each of lower level systems 302 may be a security system, a networksystem, a storage system, a node or server system, an applicationsystem, or the like. In this embodiment, first lower level system 304comprises a first object 320 and a second object 322, and second lowerlevel system 306 comprises first object 320 and third object 324, e.g.,in this embodiment, first object 320 is associated with both first lowerlevel system 304 and second lower level system 306. Nevertheless, thoseof ordinary skill in the art readily will understand that lower levelsystems 302 may comprise any number of lower level systems, and eachobject may be associated with any number of lower level systems. Centralsystem 308 may comprise a filter and consolidation program 310, an eventdatabase 312, an event type determination program 314, an event policymanager 316, and an event policy database 318.

Referring to FIG. 4, a method 400 for managing objects and for resolvingdifferent types of events associated with the objects using arrangement300, according to an embodiment of the present invention, is depicted.In step 405, method 400 begins, and in step 410, a particular object,e.g., one of objects 320, 322, and 324 is selected to be managed. Forexample, an operations manager may select the particular object viaoperations management system 326. In step 415, operations managementsystem 326 determines an object type associated with the particularobject, e.g., a server object type, an windows 2000 box object type, astorage unit object type, or the like. Those of ordinary skill in theart readily will understand that there may be any number of differentobject types. In step 420, an event selection policy is associated withthe particular object based at least on the object type associated withthe particular object. Specifically, the event selection policyindicates at least one event type that is associated with the particularobject. In step 425, an agent, e.g., a software agent, may be associatedwith the particular object, and the agent being associated with one ofthe lower level systems. Those of ordinary skill in the art readily willunderstand that because the particular object may be associated withmore than one of the lower level systems, it may be desirable toassociate a plurality of agents with the particular object, with eachagent being associated with a different one of the lower level systems.In step 430, central system 308 receives information associated with aparticular event from one of lower level systems 302. For example, theparticular event may be a security event, a network event, a storageevent, a node or server event, an application event, or the like, andthe particular event originates from the particular object. In oneembodiment of the present invention, the particular event may have astatus associated therewith, e.g., may have a critical status or anon-critical status, such as a warning status, an informational status,or the like, and filter and consolidation program 310 may consolidaterepetitive events, filter and store information associated events thatare non-critical events in event database 312, and transmit informationassociated with critical events to event type determination program 314.In step 435, event type determination program 314 determines the eventtype associated with the particular event. For example, event typedetermination program 314 may determine the event type based on which oflower level systems 302 transmitted the information associated with theparticular event to central system 308, e.g., an event transmitted froma security system may be a security event type, an event transmittedfrom a network system may be a network event type, an event transmittedfrom a storage system may be a storage event type, an event transmittedfrom a node or server system may be a node or server event type, and anevent transmitted from an application system may be an application eventtype.

In step 440 event policy manager 316 determines whether central system308 comprises a particular policy associated with resolving the eventtype associated with the particular event, e.g., by accessing eventpolicy database 318. If central system 308 comprises the particularpolicy, then in step 445 central system 308 resolves the particularevent in accordance with the particular policy. For example, under theparticular policy, central system 308 may forward information associatedwith the particular event to operations manager system 326, such that anoperation manager may review the information associated with theparticular event, determine what service is affected by the particularevent, create a help desk ticket associated with the particular event,and forward the information associated with the particular event (andother information if appropriate) to an appropriate incident manager incharge of resolving the particular event. Method 400 then may proceed tostep 470 and the particular event may be cleared. If, however, in step440 event policy manager 416 determines that central system 408 does notcomprise the particular policy, then in step 450, central system 308requests the particular policy, e.g., from operations manager system326. In step 455 central system 408 receives the particular policy, andstep 460, central system 308 resolves the particular event in accordancewith the particular policy. For example, under the particular policy,central system 408 may forward information associated with theparticular event to operations manager system 326, such that theoperation manager may review the information associated with theparticular event, determine what service is affected by the particularevent, create a help desk ticket associated with the particular event,and forward the information associated with the particular event (andother information if appropriate) to an appropriate incident manager incharge of resolving the particular event. In step 463, central system308 stores the particular policy in event policy database 318, such thatthe next time an event that is of the event type associated with theparticular type of event occurs, central system 308 will comprise theparticular policy, and will not have to request the particular policy.Method 400 then may proceed to step 470 and the particular event may becleared.

Referring to FIGS. 8 a and 8 b, a method 800 for managing objectsaccording to an embodiment of the present invention, is depicted. FIGS.5 a-7 b depict methods 500, 600, and 700, respectively, for managingobjects according to embodiments of the present invention. Methods 500,600, and 700 are similar to method 800, except that some of the stepsfrom method 800 are removed from methods 500, 600, and 700. Therefore,only method 800 is described in the present application. Specifically,methods 500, 600, 700, and 800 represent different levels of managingobjects, with method 500 being the least active method of managingobjects, and method 800 being the most active method of managingobjects. Method 800 includes seven (7) possible starting points,corresponding to steps 802-814, depending on the type of object managingthe operations manager wishes to implement at a given time. Step 802corresponds to removing existing managed objects, step 804 correspondsto updating managed objects, step 806 corresponds to reconciling themanaged object database, step 808 corresponds to reviewing managedobject policies, step 810 corresponds to changing managed objectmonitoring requirement, step 812 corresponds to adding new managedobjects, and step 814 corresponds to discovering of new infrastructureobjects. Moreover, because steps 802 and 804, steps 808 and 810, andsteps 812 and 814 follow common paths within the flow chart of FIG. 8a,respectively, these steps are grouped together in the discussion ofmethod 800.

When the operations manager wishes to remove an existing managed object,in step 802, an existing monitored object is selected for removal, andin step 816, a request for the removal of the selected, managed objectis received. Method 800 then proceeds to step 820. When the operationsmanager wishes to update a managed object, in step 804, an existingmonitored object is selected for updating, and in step 818, a requestfor the updating of the managed object is received. Method 800 thenproceeds to step 820.

In step 820, it is determined whether the managed object is verified. Ifit is not verified, in step 822, there is a failure to match the managedobject against a configuration item, and in step 824, the removal orupdating of the managed object is canceled. If, however, in step 820 themanaged object is verified, then in step 826 the panned change isdocumented, and in step 828, the changed is applied in the managedobject database. If step 802 originally was selected, method 800 thenproceeds to step 830, if, however, step 804 original was selected,method 800 instead proceeds to step 834.

In step 830, it is determined whether the managed object is included inthe managed object filtering policy. If the managed object is notincluded in the managed object filtering policy, method 800 proceeds tostep 838, if, however, the managed object is included in the managedobject filtering policy, then in step 832, the managed object is removedfrom the managed object filtering policy, and method 800 proceeds tostep 838.

In step 834, it is determined whether the managed object type associatedwith the selected managed object still should be managed. If the managedobject type associated with the selected managed object still should bemanaged, method 800 proceeds to step 838, if, however, the managedobject type associated with the selected managed object should notcontinue to be managed, then in step 836, a filter policy is added tothe managed object, and method 800 proceeds to step 838.

In step 838, it is determined whether the managed object event policy isredundant. If the managed object event policy is redundant, then in step840, the managed object event policy is removed. If step 802 originallywas selected, method 800 then proceeds to step 842, if, however, step804 original was selected, method 800 instead proceeds to step 846.

In step 842, a service request to remove the agent or agents associatedwith the managed object is sent, and in step 844, the agent or agentsare removed and the managed object removal successfully is complete.

In step 846, it is determined whether the existing managed object policymay be used for the updated managed object. If the existing managedobject policy may be used for the updated managed object, then in step848 the updating of the managed object successfully is complete. If,however, the existing managed object policy may not be used for theupdated managed object, method 800 proceeds to step 875.

In steps 875-892, various policies for the managed object are updated oradded, and in step 906 the event storage and retention policy orinfrastructure is updated. In step 907 a it is determined whether anaction rule is included in the policy. If the action rule is included inthe policy, the automated action policy is updated, and method 800proceeds to step 908, and if the action rule is not included in thepolicy, method 800 proceeds directly to step 908.

In step 908, an incident resolution is generated which recommends anaction to be taken, and in step 910 the new policy infrastructure is setup in a test environment. In step 912, test events are simulated for theupdated managed object, and in step 914, it is determined whether thenew policy infrastructure is validated based on the test events. If thestep new policy infrastructure is not validated, then in step 916, thepolicy infrastructure is reviewed and amended, and method 800 returns tostep 910. If, how, the new policy infrastructure is validated in step914, then the method proceeds to step 918. In step 918, the plannedpolicy change is documented, and if applicable, the operations managerfollows a configuration management processes for implementing thechanges. For example, in step 920 a the policy or infrastructure changeis submitted to the operations manager, and in step 920 a the change isprocessed. In step 920 c it is determined whether to approve the change.If the change is not approved, method 800 proceeds to step 920 d wherethe change is revised and method 800 then returns to step 920 a.Nevertheless, if the change is approved in step 920 c, method 800proceeds to step 922. In step 922 the new policy is applied andverified, and in step 924, method 800 is complete.

When the operations manager wishes to reconcile the managed objectdatabase, in step 806, the operations manager schedules a time forreconciling the managed object database. In step 850, there is automaticreconciliation between the configuration management database, a servicecatalog, and the managed object database. In step 852, any incidents ofreconciliation failure automatically are opened, and in step 854, eventpolicies are updated and/or verified based on managed object type andassociated configuration item. In step 856, reconciliation is complete.

When the operations manager wishes review an existing policy, in step808, the policy for review is selected, and method 800 proceeds to step858. When the operations manager wishes to make a change to the managedobject monitoring requirements, in step 810, the policy associated withthe managed object is selected, and method 800 proceeds to step 858. Instep 858, the existing event policy is reviewed, and in step 860, metricand trend reports associated with the policy are reviewed. In step 862,the planned managed object changes are reviewed, and in step 864, animpact of the planned changes is defined. In step 866, it is determinedwhat type of changes to the managed object are planned. If it isdetermined that the planned changes do not affect the type of themanaged object, or if the planned change corresponds to additionalmanaged objects of the same type, method 800 proceeds to step 872. If,however, it is determined that the planned changes will change the typeof the managed object, then in step 868 the existing managed object isdeleted/removed, and it is determined whether the policy associated withthe deleted managed object also is to be deleted/removed. If the policyis not to be deleted/removed, method 800 proceeds to step 872, if,however, the policy is to be deleted/removed, and in step 870, thepolicy is marked for subsequent deletion/removal, and method 800proceeds to step 872. In step 872, it is determined whether a new orupdated policy is required for the managed object. If a new or updatedpolicy is not required, then in step 874 the review process is complete.If, however, a new or updated policy is required, then method 800proceeds to step 875, which is described above in detail.

If the operations manager wishes to add new monitored infrastructure,e.g., add a new managed object, then in step 812, the new managed objectis selected, and in step 926, a request to add the new managed object ismade. Method 800 then proceeds to step 930. If the operations managerwishes to schedule the discovery of managed infrastructure, in step 814,the discovery is scheduled, and in step 928, notification of the newmanaged objects is received. Method 800 then proceeds to step 930.

In step 930, it is determined whether the object is verified. If it isnot verified, in step 932, there is a failure to match the objectagainst a configuration item, and in step 934, method 800 is canceled.If, however, in step 930 the object is verified, then in step 936 it isdetermined whether the object is classified. If the object is notclassified, then in step 938, manual review is required, and in step 940an event policies or polices is assigned to objects of this type. Method800 then proceeds to step 942. If, however, the object is classified instep 936, then method 800 proceeds to step 942.

In step 942, it is determined whether the object will be managed. If theobject will not be managed, then in step 944 events for the object arefiltered, and in step 946, the object is added with the filter. Method800 then is complete. If, however, the object is to be managed in step942, then in step 948, it is determined whether an agent is required forthe object, e.g., the object may come with a pre-installed agent, suchthat an additional agent may not be required. If an agent is required,then in step 950, an open service require to install the agent is sent,and in step 952, the agent is installed. In step 954 the service requestis closed, and method 800 proceeds to step 956. If, however, an agent isnot required in step 948, then method proceeds to step 956.

In step 956, it is determined whether the operations manager is able toconnect to the object to be managed. If the operations manager is ableto connect to the object to be managed, method 800 proceeds to step 964.If, however, the operations manager is not able to connect to the objectto be managed, then in step 958, an open service request is transmittedrequesting that a gateway be setup. In step 960, the gateway setup iscomplete, and in step 962 the service request is closed. Method 800 thenproceeds to step 964. In step 964, communication between the object tobe managed and the operations manager is verified. If the verificationis not successful, then in step 966 incident to resolve the problem isopened, and in step 968 a notification that the incident was closed andthe problem was resolved is received. Method 800 then returns to step964. If, however, in step 964 communication is verified, then in step970 a policy for the object to be managed is determined based at leaston the type of the object to be managed. In step 972 it is determinedwhether an existing policy may be used for the object to be managed. Ifan existing policy may be used, then method 800 proceeds to step 922,which is described above in detail. If, however, an existing policycannot be used, then method 800 proceeds to step 876, which is describedabove in detail.

Referring to FIG. 12, a method 1200 for resolving different types ofevents according to an embodiment of the present invention, is depicted.FIGS. 9-11 depict methods 900, 1000, and 1100, respectively, forresolving different types of events according to embodiments of thepresent invention. Methods 900, 1000, and 1100 are similar to method1200, except that some of the steps from method 1200 are removed frommethods 900, 1000, and 1100. Therefore, only method 1200 is described inthe present application. Specifically, methods 900, 1000, 1100, and 1200represent different levels of resolving events, with method 900 beingthe least active method of resolving events, and method 1200 being themost active method of resolving events. Moreover, method 900 may be usedin combination with method 500, method 1000 may be used in combinationwith method 600, method 1100 may be used in combination with method 700,and method 1200 may be used in combination with method 800.

Referring to FIG. 12, in step 1202, an event in the managed objectdatabase is detected, and in step 1204, information associated with theevent is received. In step 1206, similar events which are received areconsolidated into a single event, and in step 1208, the event iscompared against the filtering policy. In step 1210, it is determinedwhether the event is to be filtered. In the event is to be filtered,then in step 1212, it is determined whether the filtered event is to bestored. If the filtered event is not to be stored, then in step 1214 theevent is cleared. If the filtered event is to be stored, then in step1213, the event is stored, and in step 1214, the event is cleared. If instep 1210 it is determined that the event is not to be filtered, then instep 1215 the event is de-duplicated, e.g., a redundancy with respect tostep 1206. In step 1216, it is determined whether the event can beclassified. If the event cannot be classified, then in step 1217, anoperator notification is created that the event type is unknown, andmethod 1200 proceeds to step 1268 (discussed below). If, however, theevent can be classified, then method 1200 proceeds to steps 1218-1222 ifthe event type is a security event (steps 1218-122 corresponding to asecurity event silo), steps 1224-1228 if the event type is a networkevent (steps 1224-1228 corresponding to a network event silo), steps1230-1234 if the event type is a storage event (steps 1230-1234corresponding to a storage event silo), steps 1236-1240 if the eventtype is a system event (steps 1236-1240 corresponding to a system eventsilo), and steps 1242-1246 if the event type is an application event(steps 1242-1246 corresponding to an application event silo). In step1218, the event is classified as a security event, and step 1220 anevent correlation is attempted to be determined by comparing the eventwith previous security events to determine whether there is acorrelation between the events. In step 1222, the root cause of theevent is attempted to be determined, e.g., based on the determination inevent correlation step 1220, and method 1200 then proceeds to step 1248.Steps 1224-1228; 1230-1234; 126-1240; and 142-1246 are similar to steps1218-1222. Therefore, these steps are not discussed in detail.

In step 1248, an event correlation is attempted to be determined bycomparing the event with previous events from each of the silos todetermine whether there is a correlation between the events, e.g., anevent which is classified as a security event may be correlated withevents that are non-security events. If there is no correlation, thenmethod 1200 proceeds to step 1252. Nevertheless, if there is acorrelation, then in step 1250, the original event is cleared andstored, and the correlated event is generated. Method 1200 then proceedsto step 1252. In step 1252, the event is prioritized to determine theseverity of the event. In step 1254, it is determined whether the eventis an informational event. If the event is an informational event, thenin step 1256, the event is stored for future review, and in step 1258the event is cleared. Method 1200 then is complete. If, however, in step1254 the event is not an informational event, then in step 1260 it isdetermined whether the event is a warning event. If the event is awarning event, then in step 1262, it is determined whether the eventmatches a warning correlation policy. If the event does not match awarning correlation policy, then the event proceeds to step 1256, whichis described in detail above. If the event matches a warning correlationpolicy, then method 1200 proceeds to step 1264. Similarly, if the eventis not a warning event in step 1260, method 1200 also proceeds to step1264.

In step 1264, it is determined whether the event is a severe event. Ifthe event is a severe event, then method 1200 proceeds to step 1276. Ifit is determined that the event is not classified as a sever event, thenthe classification of the event is unknown, i.e., because it is not aninformational event, a warning event, or a severe event, and method 1200proceeds to step 1266. In step 1266, a notification that an event withan unknown classification was received is created and transmitted to theoperations manager. In step 1268, the operations manager classifies theevent. If the event is classified as an informational event, method 1200proceeds to step 1270, if the event is classified as a warning event,method 1200 proceeds to step 1272, and if the event is classified as asevere event, method 1200 proceeds to step 1274. In step 1270, the eventmanagement policy is updated to update the filtering rules and/or assigna warning classification for future, similar events, and method 1200proceeds to steps 1256 and 1258. In step 1272, the event managementpolicy is updated to assign a warning classification for future, similarevents, and method 1200 proceeds to steps 1256 and 1258. In step 1274,the event management policy is updated to assign a severe classificationfor future, similar events, and method 1200 proceeds to step 1276.

In step 1276, an incident report is created for the event, and in step1278, the event is automatically is assigned based on the root cause ofthe event. In step 1280, a knowledge base is queried for possibleresolutions for the event, and in step 1282, the incident report isupdated based on the possible resolutions. In step 1284, the event isacknowledged and stored in the event database, and in step 1286, theevent automatically is forwarded to the event manager. In step 1288 itis determined whether an approved action is defined. If there is noapproved action, then method 1200 proceeds to step 1314. If, however,there is an approved action, then in step 1290, the action is applied.In step 1292 the configuration management database is backed-up, and instep 1294, the configuration management database is updated. In step1296 it is determined whether verification by the operations manager ofthe resolution is required. If operations manager verification is notrequired, then in step 1298, the automated resolution is verified, andmethod 1200 proceeds to step 1306. If operations manager verification isrequired, then in step 1302 a resolution notification is forwarded tothe operations manager, and in step 1304 the operations manger verifiesthe automatic resolution. Method 1200 then proceeds to step 1306.

In step 1306 it is determined whether the verification was successful.If the verification was successful, then in step 1310 the event iscleared, and in step 1312 the incident report is updated to indicate theaction which was applied. Method 1200 then proceeds to step 1314. If,however, the verification was not successful in step 1306, then in stepan incident report is opened to resolve the fault, and method 1200proceeds to step 1312 and step 1314. In step 1314 an incident managermanages the incident to closure, and in step 1316, the incident managersends a notification indicating the incident has been closed. In step1318, the event is cleared (if required), and in step 1320, eventresolution is complete.

Referring to FIG. 16, a flow chart of a method 1600 for reporting dataassociated with managed objects and events associated with such managedobjects is depicted. FIGS. 13-15 depict methods 1300, 1400, and 1500,respectively, for reporting data associated with managed objects andevents associated with such managed objects according to embodiments ofthe present invention. Methods 1300, 1400, and 1500 are similar tomethod 1600. Therefore, only method 1600 is described in the presentapplication. Specifically, methods 1300, 1400, 1500, and 1600 representdifferent levels of reporting data, with method 1300 being the leastactive method of reporting events, and method 1600 being the most activemethod of reporting events. Moreover, method 1300 may be used incombination with methods 500 and 900, method 1400 may be used incombination with methods 600 and 1000, method 1500 may be used incombination with methods 700 and 1100, and method 1600 may be used incombination with methods 800 and 1200.

Method 1600 includes four possible starting points, depending the typeof information which the operations manager requires. Specifically, step1602 corresponds to information required by the operations manager toinvestigate a problem, step 1604 corresponds to historical data, step1606 corresponds to information associated with generating anoperational status report, and step 1608 corresponds to informationassociated with generating an incident report. When step 1602 isselected, method 1600 proceeds to steps 1610, 1614, and 1620; wheneither of steps 1604 and 1606 is selected, method 1600 proceeds to steps1612, 1614, and 1620; and when step 1608 is selected, method 1600proceeds to steps 1616, 1618, and 1620.

After the selection of step 1602, in step 1610, an event report iscreated, e.g., a historical view of events and severity by managedobject type and managed object location, and in step 1614, theconfiguration management database is queried. Method 1600 then proceedsto step 1620. After the selection of either step 1604 or 1606, in step1612, a scheduled events report is generated, e.g., warnings, systemaccesses, system changes, events/incidents by configuration item, or thelike, and in step 1614, the configuration management database isqueried. Method 1600 then proceeds to step 1620. When step 1608 isselected, in step 1616, the operations manager requests data associatedwith incidents and resolution status, and in step 1618, the requesteddata is extracted from the incident management system. Method 1600 thenproceeds to step 1620.

In step 1620, a report is created, and in step 1622, the operationsmanager receives notification of the report. In step 1624, it isdetermined whether the report should be archived. If the report is to bearchived, in step 1626, the report is archived, and in step 1628, thereport is saved and method 1600 is complete. If the report is not to bearchived, then in step 1630 the report is deleted, and in step 1632 thereport is purged and method 1600 is complete.

While the invention has been described in connection with exemplaryembodiments, it will be understood by those skilled in the art thatother variations and modifications of the exemplary embodimentsdescribed above may be made without departing from the scope of theinvention. Other embodiments will be apparent to those skilled in theart from a consideration of the specification or practice of theinvention disclosed herein. It is intended that the specification andthe described examples are considered merely as exemplary of theinvention, with the true scope of the invention being indicated by theflowing claims.

1. An arrangement for resolving different types of events, comprising acentral system communicatively coupled to each of a plurality of lowerlevel systems, wherein the central system is configured: to receiveinformation associated with a particular event from one of the pluralityof lower level systems; to determine an event type associated with theparticular event; and to determine whether the central system comprisesa particular policy associated with resolving the event type associatedwith the particular event, wherein when the central system comprises theparticular policy the central system is further configured to resolvethe particular event in accordance with the particular policy, and whenthe central system does not comprise the particular policy the centralsystem is further configured: to request information associated with theparticular policy; to receive the information associated with theparticular policy; to resolve the particular event in accordance withthe particular policy; to store the particular policy in a database; andto resolve future events that are of the event type associated with theparticular type of event in accordance with the particular policy. 2.The arrangement of claim 1, wherein each of the plurality of lower levelsystems is selected from the group consisting of a security system, anetwork system, a storage system, a node system, and an applicationsystem.
 3. The arrangement of claim 1, wherein the central system isfurther configured to filter and to store the information associatedwith the particular event when the particular event has a first status,and to determine whether the central system comprises the particularpolicy when the particular event has a second status.
 4. The arrangementof claim 3, wherein the second status comprises a critical type ofevent, and the first status comprises a non-critical type of event. 5.The arrangement of claim 4, wherein each critical type of event and eachnon-critical type of event is selected by an operator of the pluralityof lower level systems.
 6. The arrangement of claim 1, wherein thecentral system is operated by a first entity, and each of the pluralityof lower level systems is operated by a second entity that is differentthan and not associated with the first entity.
 7. The arrangement ofclaim 1, wherein the central system is configured to determine the eventtype associated with the particular event based on which of theplurality of lower level systems transmits the information associatedwith the particular event to the central system.
 8. A method forresolving different types of events, wherein a central system iscommunicatively coupled to each of a plurality of lower level systems,and the method comprises the steps of: receiving information associatedwith a particular event from one of the plurality of lower levelsystems; determining an event type associated with the particular event;determining whether the central system comprises a particular policyassociated with resolving the event type associated with the particularevent; when the central system comprises the particular policy,resolving the particular event in accordance with the particular policy;and when the central system does not comprise the particular policy,requesting information associated with the particular policy, receivingthe information associated with the particular policy, resolving theparticular event in accordance with the particular policy, storing theparticular policy in a database, and resolving future events that are ofthe event type associated with the particular type of event inaccordance with the particular policy.
 9. The method of claim 8, whereineach of the plurality of lower level systems is selected from the groupconsisting of a security system, a network system, a storage system, anode system, and an application system.
 10. The method of claim 8,further comprising the step of filtering and storing the informationassociated with the particular event when the particular event has afirst status, and wherein the step of determining whether the centralsystem comprises the particular policy comprises the sub-step ofdetermining whether the central system comprises the particular policywhen the particular event has a second status.
 11. The method of claim10, wherein the second status comprises a critical type of event, andthe first status comprises a non-critical type of event.
 12. The methodof claim 11, wherein each critical type of event and each non-criticaltype of event is selected by an operator of the plurality of lower levelsystems.
 13. The method of claim 8, wherein the central system isoperated by a first entity, and each of the plurality of lower levelsystems is operated by a second entity that is different than and notassociated with the first entity.
 14. The method of claim 8, wherein thestep of determining the event type associated with the particular eventcomprises the sub-step of determining the event type associated with theparticular event based on which of the plurality of lower level systemstransmits the information associated with the particular event to thecentral system.
 15. A software arrangement which, when executed by aprocessing arrangement associated with a central system communicativelycoupled to each of a plurality of lower level systems, is configured toperform the steps of: receiving information associated with a particularevent from one of the plurality of lower level systems; determining anevent type associated with the particular event; determining whether thecentral system comprises a particular policy associated with resolvingthe event type associated with the particular event; when the centralsystem comprises the particular policy, resolving the particular eventin accordance with the particular policy or forwarding the informationassociated with the particular event to an operations manager system;and when the central system does not comprise the particular policy,requesting information associated with the particular policy, receivingthe information associated with the particular policy, resolving theparticular event in accordance with the particular policy, storing theparticular policy in a database, and resolving future events that are ofthe event type associated with the particular type of event inaccordance with the particular policy.
 16. The software arrangement ofclaim 15, wherein each of the plurality of lower level systems isselected from the group consisting of a security system, a networksystem, a storage system, a node system, and an application system. 17.The software arrangement of claim 15, wherein the software arrangementis further configured to perform the step of filtering and storing theinformation associated with the particular event when the particularevent has a first status, and wherein the step of determining whetherthe central system comprises the particular policy comprises thesub-step of determining whether the central system comprises theparticular policy when the particular event has a second status.
 18. Thesoftware arrangement of claim 17, wherein the second status comprises acritical type of event, and the first status comprises a non-criticaltype of event.
 19. The software arrangement of claim 18, wherein eachcritical type of event and each non-critical type of event is selectedby an operator of the plurality of lower level systems.
 20. The softwarearrangement of claim 15, wherein the central system is operated by afirst entity, and each of the plurality of lower level systems isoperated by a second entity that is different than and not associatedwith the first entity.
 21. The software arrangement of claim 15, whereinthe step of determining the event type associated with the particularevent comprises the sub-step of determining the event type associatedwith the particular event based on which of the plurality of lower levelsystems transmits the information associated with the particular eventto the central system.
 22. An arrangement for managing objects and forresolving different types of events associated with the objects,comprising: an operations management system configured: to select aparticular object to be managed by the arrangement; to determine anobject type associated with the particular object; to associate an eventselection policy with the particular object based at least on the objecttype associated with the particular object, wherein the event selectionpolicy indicates at least one event type that is associated with theparticular object; to selectively associate an agent with the particularobject, wherein the agent is associated with one of a plurality of lowerlevel systems; and a central system communicatively coupled to theoperations management system and to each of the plurality of lower levelsystems, wherein the central system is configured: to receiveinformation associated with a particular event from one of the pluralityof lower level systems, wherein the particular event originates from theparticular object; to determine an event type associated with theparticular event; and to determine whether the central system comprisesa particular policy associated with resolving the event type associatedwith the particular event, wherein when the central system comprises theparticular policy the central system is further configured to resolvethe particular event in accordance with the particular policy, and whenthe central system does not comprise the particular policy the centralsystem is further configured: to request information associated with theparticular policy; to receive the information associated with theparticular policy; to resolve the particular event in accordance withthe particular policy; to store the particular policy in a database; andto resolve future events that are of the event type associated with theparticular type of event in accordance with the particular policy. 23.The arrangement of claim 22, wherein each of the plurality of lowerlevel systems is selected from the group consisting of a securitysystem, a network system, a storage system, a node system, and anapplication system.
 24. The arrangement of claim 22, wherein the centralsystem is configured to determine the event type associated with theparticular event based on which of the plurality of lower level systemstransmits the information associated with the particular event to thecentral system.
 25. The arrangement of claim 22, wherein the operationsmanagement system is further configured: to selectively review the eventselection policy; and to selectively alter the event selection policy.26. A method for managing objects and for resolving different types ofevents associated with the objects, wherein a central system iscommunicatively coupled to an operations managing system and each of aplurality of lower level systems, the method comprising the steps of:selecting a particular object to be managed by the arrangement;determining an object type associated with the particular object;associating an event selection policy with the particular object basedat least on the object type associated with the particular object,wherein the event selection policy indicates at least one event typethat is associated with the particular object; selectively associatingan agent with the particular object, wherein the agent is associatedwith one of a plurality of lower level systems; receiving informationassociated with a particular event from one of the plurality of lowerlevel systems, wherein the particular event originates from theparticular object; determining an event type associated with theparticular event; determining whether the central system comprises aparticular policy associated with resolving the event type associatedwith the particular event; when the central system comprises theparticular policy, resolving the particular event in accordance with theparticular policy; and when the central system does not comprise theparticular policy, requesting information associated with the particularpolicy, receiving the information associated with the particular policy,resolving the particular event in accordance with the particular policy,storing the particular policy in a database, and resolving future eventsthat are of the event type associated with the particular type of eventin accordance with the particular policy.
 27. The method of claim 26,wherein each of the plurality of lower level systems is selected fromthe group consisting of a security system, a network system, a storagesystem, a node system, and an application system.
 28. The method ofclaim 26, wherein the step of determining the event type associated withthe particular event comprises the sub step of determining the eventtype associated with the particular event based on which of theplurality of lower level systems transmits the information associatedwith the particular event to the central system.
 29. The method of claim26, further comprising the steps of: selectively reviewing the eventselection policy; and selectively altering the event selection policy.